Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
The ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false.
The reasons is that the attacker can force an empty referrer in at least two ways:
- is the victim site runs using http the attacker can create a "mallory page" under an https site. In this case (namely https-to-http) the referrer is not passed.
- The attacker create a dynamic post doing something like:
<head> <script> function load() { var postdata = '<form id=dynForm method=POST action=\'https://www.google.com\'>' + '<input type=hidden name=email value=example@live.com />' + '<input type=hidden name=pass value=password />' + '<input type=hidden name=locale value=en_US />' + '</form>'; top.frames[0].document.body.innerHTML=postdata; top.frames[0].document.getElementById('dynForm').submit(); } </script> </head> <body onload="load()"> <iframe src="about:blank" id="noreferer"></iframe> </body> </html>